From: Vitaly Chikunov <vt@altlinux.org>
To: Ranganath V N <vnranganath.20@gmail.com>,
linux-rt-devel@lists.linux.dev
Cc: edumazet@google.com, davem@davemloft.net,
david.hunter.linux@gmail.com, horms@kernel.org,
jhs@mojatatu.com, jiri@resnulli.us, khalid@kernel.org,
kuba@kernel.org, pabeni@redhat.com, xiyou.wangcong@gmail.com,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
skhan@linuxfoundation.org
Subject: Re: [PATCH net v4 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
Date: Fri, 12 Dec 2025 03:54:26 +0300 [thread overview]
Message-ID: <tnqp5igbbqyl6emzqnei2o4kuz@altlinux.org> (raw)
In-Reply-To: <20251109091336.9277-3-vnranganath.20@gmail.com>
On Sun, Nov 09, 2025 at 02:43:36PM +0530, Ranganath V N wrote:
> Fix a KMSAN kernel-infoleak detected by the syzbot .
>
> [net?] KMSAN: kernel-infoleak in __skb_datagram_iter
>
> In tcf_ife_dump(), the variable 'opt' was partially initialized using a
> designatied initializer. While the padding bytes are reamined
> uninitialized. nla_put() copies the entire structure into a
> netlink message, these uninitialized bytes leaked to userspace.
>
> Initialize the structure with memset before assigning its fields
> to ensure all members and padding are cleared prior to beign copied.
>
> This change silences the KMSAN report and prevents potential information
> leaks from the kernel memory.
>
> This fix has been tested and validated by syzbot. This patch closes the
> bug reported at the following syzkaller link and ensures no infoleak.
>
> Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
> Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
> Fixes: ef6980b6becb ("introduce IFE action")
> Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
> ---
> net/sched/act_ife.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
> index 107c6d83dc5c..7c6975632fc2 100644
> --- a/net/sched/act_ife.c
> +++ b/net/sched/act_ife.c
> @@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
> unsigned char *b = skb_tail_pointer(skb);
> struct tcf_ife_info *ife = to_ife(a);
> struct tcf_ife_params *p;
> - struct tc_ife opt = {
> - .index = ife->tcf_index,
> - .refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> - .bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
> - };
> + struct tc_ife opt;
> struct tcf_t t;
>
> + memset(&opt, 0, sizeof(opt));
> +
> + opt.index = ife->tcf_index,
> + opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> + opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
Are you sure this is correct to delimit with commas instead of
semicolons?
This already causes build failures of 5.10.247-rt141 kernel, because
their spin_lock_bh unrolls into do { .. } while (0):
CC [M] net/sched/act_ife.o
In file included from ./include/linux/spinlock.h:329,
from ./include/linux/mmzone.h:8,
from ./include/linux/gfp.h:6,
from ./include/linux/mm.h:10,
from ./include/linux/bvec.h:14,
from ./include/linux/skbuff.h:17,
from net/sched/act_ife.c:20:
net/sched/act_ife.c: In function 'tcf_ife_dump':
./include/linux/spinlock_rt.h:44:2: error: expected expression before 'do'
44 | do { \
| ^~
net/sched/act_ife.c:655:2: note: in expansion of macro 'spin_lock_bh'
655 | spin_lock_bh(&ife->tcf_lock);
| ^~~~~~~~~~~~
make[2]: *** [scripts/Makefile.build:286: net/sched/act_ife.o] Error 1
make[2]: *** Waiting for unfinished jobs....
Thanks,
> +
> spin_lock_bh(&ife->tcf_lock);
> opt.action = ife->tcf_action;
> p = rcu_dereference_protected(ife->params,
> --
> 2.43.0
>
next prev parent reply other threads:[~2025-12-12 1:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-09 9:13 [PATCH v4 net 0/2] net: sched: initialize struct tc_ife to fix kernel-infoleak Ranganath V N
2025-11-09 9:13 ` [PATCH net v4 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Ranganath V N
2025-11-09 9:30 ` Eric Dumazet
2025-11-09 9:13 ` [PATCH net v4 2/2] net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Ranganath V N
2025-11-09 9:31 ` Eric Dumazet
2025-12-12 0:54 ` Vitaly Chikunov [this message]
2025-12-12 16:26 ` Jamal Hadi Salim
2025-12-12 16:29 ` Jamal Hadi Salim
2025-12-14 21:38 ` Vitaly Chikunov
2025-12-15 16:27 ` Jamal Hadi Salim
2025-11-10 20:02 ` [PATCH v4 net 0/2] net: sched: initialize struct tc_ife to fix kernel-infoleak Cong Wang
2025-11-11 14:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tnqp5igbbqyl6emzqnei2o4kuz@altlinux.org \
--to=vt@altlinux.org \
--cc=davem@davemloft.net \
--cc=david.hunter.linux@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=khalid@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-devel@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=skhan@linuxfoundation.org \
--cc=vnranganath.20@gmail.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox